Alec Warner wrote: > The fact that Gentoo can continue with the codebase is irrelevant. I > think moreso the fact that a particular Package Manager would be the > 'Gentoo Package Manager' means in my mind that Gentoo is responsible for > said Package Manager. If someone were to slip evil code into said Package > Manager and Gentoo released it; that would be bad. > > Note that with Portage, Gentoo could pull svn access for any individuals > who commit such code. Gentoo have no gaurantee of that with an externally > managed Manager as Gentoo has no control over the source repositories. > > If, by your comment above, Gentoo should maintain it's own branch of said > package manager to insulate itself from issues such as the security issue > defined above; well I think that may be one way to address the problem > presented by Seemant.
Come on, that's a bogus argument. By that logic, we should be maintaining our own branches of, say, sys-apps/shadow, since we don't control the upstream CVS repository. I think something that's installed in the base "system" set would also be perceived as something that Gentoo is responsible for, since we ship it in our stage tarballs, the basic building blocks of a Gentoo system. -- Mike Kelly
signature.asc
Description: OpenPGP digital signature
